Plan for geographical segmentation of functions and activities
A pandemic can have severe consequences in impacted areas and geographies, making them inaccessible for an extended period of time. As a component of a business impact analysis, companies identify the chain of activities and functions, along with interdependencies (e.g., people, process, technology, data, facilities, third parties) and related impacts, to inform potential mitigation strategies.
From a pandemic planning perspective, companies should pay closer attention to the geographical concentration of these critical activities and functions, and how to segment them for work transfer to alternate locations and sites. As prudent risk management and to the extent possible, companies should look to diversify supplier base, customers and third-party service providers across geographies to avoid single points of failure and increased exposure due to regional outages and geopolitical events.
Invest in technology and infrastructure to support remote work and virtual collaboration capabilities
A pandemic requires employees to stay home to limit exposure and to prevent or slow down the spread of the disease, requiring the activation of remote working capabilities. Unlike an occasional weather event, which may prompt some employees to work remotely, a pandemic may lead to a complete shutdown of the entire facility in an area, forcing a high number of employees to work remotely for an extended duration. This may in turn result in heavier-than-normal traffic on remote connectivity networks, causing capacity and load access issues.
Companies should invest in tools to enable personnel to work remotely and collaborate virtually, assess their current bandwidth to support remote work, perform periodic network stress testing and identify workarounds for critical tasks that are not executable from home. It is worth noting that while remote working is a viable option for the service sector, it does not work as well for manufacturing, thus resulting in critical impacts on product supply chains.
Consider the systemic nature of pandemics when designing response strategies
Companies must challenge and stretch the boundaries for traditional resilience plans to address pandemic events. During a pandemic, some of the standard strategies such as work transfer to alternate sites, relocation of workforce and staff augmentation may not be viable options as personnel and alternate locations/sites may be just as impacted by the event.
Additionally, degradation or limited availability of core infrastructure such as mass transit, telecommunications and internet may pose further challenges to activating plans and strategies. Companies must carefully design distinct strategies; for instance, inter-affiliate contracts to subcontract work to or alternate supply chain vendors to overcome these barriers, and especially plan around areas of high manual intervention and concentration risks, including single points of failure.
Companies should validate that contracts between country-to-country affiliates are in place to reduce uncertainty of terms, rates, payments and regulatory requirements; data-sharing agreements are addressed within the contracts (e.g., General Data Protection Regulation requirements); and, as required in regulated industries, appropriate licenses are in place to conduct the additional work. Further, downstream dependencies should be considered. For example, if contractor onboarding is concentrated in the impacted region, capabilities in other locations that could be quickly mobilized should be entertained.
Assess reliance on third parties
Companies today have increased interconnectedness with third parties such as outsourced vendors, cloud service providers, data processors, aggregators, payment processors and suppliers for delivery of products and services. These third parties are also vulnerable to pandemic events. Companies must develop a thorough understanding of their critical third, fourth and fifth parties, and their resilience programs, and develop alternate plans, for instance insource strategies or substitutability, if the critical third party’s ability to perform services is impaired.
Companies should also validate alignment between their alternate plans and those of their third parties. Conversely, companies should also identify instances where there may be opportunities to rely on certain third parties with geographically dispersed operations to assist with critical activities performed internally. However, in planning for such third-party alternatives, companies must recognize that their peers and competitors may look to the same third parties for assistance during a market contagion, leading to concentration risk.
Companies must assess third-party capacity and bandwidth considering these market dependencies and, where possible, explore opportunities to embed contractual clauses that allow companies to be prioritized for products and services in relation to their competitors.
Engage with customers
As observed during natural catastrophes, customers are generally more empathetic to degradation or discontinuation of certain products and services during disruptions that are beyond a company’s control and involve life safety concerns than they are toward those that are perceived to be preventable (e.g., system glitches). However, they expect transparency and timely updates.
Companies must continue to communicate with customers through multiple channels, reinforce that customer interests are a priority and provide information to alleviate their concerns. Customers may have specific questions around a company’s supply chain, especially if resources are located in impacted areas, and also may have questions around how those resources may pose any potential risks to them for future use of the company’s products and services.
A clearly drafted frequently-asked-questions document published and disseminated through multiple channels, including the company’s website and social media, can prove to be a useful tool to proactively address customer concerns. Additionally, companies may consider reaching out to affected customers to check in on their safety and offer assistance, where appropriate.
Develop a robust communication strategy (including social media)
Effective communications during any crisis are crucial to maintaining customer trust, restoring employee morale and confidence, and retaining market stability. While companies have a communications strategy and designated points of contact to engage with internal and external stakeholders, often times the messaging is inconsistent and untimely. For companies that have both retail and corporate customers, consistent messaging is key. All channels must reconcile (e.g., social media, customer call centers, public relations releases).
Additionally, events like a pandemic can add another layer of complexity due to circulation of false news and narratives on social media. To provide cohesive and timely enterprise messaging, companies must establish a robust communications strategy that clearly lays out process and protocols to engage with a wide set of stakeholders (e.g., customers, counterparties, regulators, employees, third parties, governments, media, health officials) inclusive of any legal and jurisdictional considerations.
For highly regulated industries such as financial services, health care, and power and utilities, companies should determine and comply with applicable federal, state and local reporting requirements (e.g., disclosure of material risks and impacts), and have a process in place to notify and engage with regulators proactively across various jurisdictions. Furthermore, employees should receive training on the characteristics of a pandemic and how pandemics differ from traditional disasters. Lastly, companies should identify alternatives if corporate communications are centralized in one location.
Team with public sector; national, state and local agencies; and health officials
Pandemics are a public issue first and a business issue second. Hence, it is important for the public and private sector to come together to provide an adequate and comprehensive response to a pandemic event. Companies must leverage advisories, resources and health safety measures prescribed by international, national and local agencies and health officials, and refrain from distributing conflicting materials as this can lead to confusion and fear among employees.
While well intended, companies must closely coordinate on any direct efforts (e.g., providing supplies) to support communities with local agencies to avoid chaos, and to not impede any public assistance efforts underway. Communication strategy and channels to engage effectively with local and national authorities should be established. Companies may set up matching grant and other financial assistance programs to help employees and communities in financial distress during this time.
Increase rigor and complexity of testing
Companies must elevate the complexity of existing scenarios used for testing and simulations to assess preparedness for pandemic events. This includes testing against scenarios that evaluate their response to extended periods of outages; total shutdown of a major operational facility, city or region; increased absenteeism (more than half workforce); multiple outages; and so on.
In addition, companies must rehearse crisis management governance and response, including C-suite executives and delegations of authority at least two levels down from primary decision-makers, so that delegates are well prepared to execute timely decisions in the event primary decision-makers are not available. Companies should also include critical third parties in select tabletop simulations to gain a better understanding of interdependencies and points of coordination, and to assess effectiveness of their resilience plans.
Leverage pandemic command center to prioritize and govern effectively
As time goes by, a widespread pandemic event will assert more pressure on existing resources, infrastructure and technology, resulting in significant degradation of products and services. As resources become constrained, firms must constantly re-prioritize delivery of products and services that are absolutely critical to meet customer needs and provide market stability.
Equally important is a thorough understanding of activities that must be de-prioritized to allow effective repositioning of available resources. Companies must have a clearly documented prioritization framework, inclusive of associated risk tolerances, supported by a robust governance process to make risk acceptance decisions (e.g., discontinuation of certain services) during an event.
Additionally, a pandemic command center setup can go a long way in enabling rapid decision-making, drive clear accountability, provide heightened event monitoring and reporting, and disseminate cohesive enterprise messaging, internally and externally. Companies must also institute a back-end quality control process to identify and rectify errors if work is performed by employees with less tenure and cross-training, or by those operating in overtime conditions.
Establish crisis management exception approval process
In the event of a crisis, there are instances when companies need to deviate from standard policies and procedures to best meet the needs of their customers and employees. For instance, a company may not support or have stringent policies with regard to family travel expenses, overtime or remote work, corporate card usage and so on during the normal course of the business; however, these policy exceptions may be necessary and permissible during an actual crisis.
Companies must expand on existing human resources, finance, legal, operations and business processes to accommodate certain critical exceptions, and clearly communicate the revised policies, criteria and processes to allow such waivers in an accelerated manner. All potential changes to existing policies should be carefully reviewed by risk management, compliance and legal prior to being finalized and should take into account what risks are appropriate to accept and any legal and jurisdictional nuances (e.g., local overtime laws across different geographies).
10 next steps for leaders
- Communicate with employees to raise awareness, enforce policies (e.g., travel restrictions) and familiarize them with available tools and resources
- If pandemic planning considerations have not been incorporated into existing business continuity and disaster recovery strategies or updated, begin rapid planning or refresh of pandemic strategies and actions
- Perform an immediate assessment of processes and functions with high manual intervention and critical third-party dependencies, especially in high vulnerability and impact locations, to understand key risks, including any single points of failure
- Review crisis communication plan and designate single points of contact to facilitate seamless engagement with local, national and global authorities, and other key internal and external stakeholders
- Identify potential policy exceptions and institute a crisis management exception approval process to manage such exceptions on an accelerated basis in each jurisdiction
- Confirm employees have the requisite capabilities, including access to requisite share drives, documents and other critical tools, to perform critical tasks remotely
- Review relevant standard operating procedures and manuals and update them, as necessary
- Monitor the situation and provide regular briefings to leaders on any emerging threats and issues
- Ask employees to confirm and update contact information (primary and secondary) in company records, as necessary
- Conduct brief pandemic training with employees to enhance employee and organizational preparedness to respond effectively